RE: IIS Directory traversal vulnerability
From: Bryan Allerdice (bryan_allerdice@yahoo.com)Date: 07/25/01
- Previous message: Reverend Lola: "Re: IIS Directory traversal vulnerability"
- In reply to: Lee Evans: "IIS Directory traversal vulnerability"
- Next in thread: Lee Evans: "Re: IIS Directory traversal vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Bryan Allerdice" <bryan_allerdice@yahoo.com> To: <incidents@securityfocus.com> Subject: RE: IIS Directory traversal vulnerability Date: Wed, 25 Jul 2001 16:19:28 -0400 Message-ID: <BGEALEDBHAGOPJFLFMODGEDPCEAA.bryan_allerdice@yahoo.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
It might help us if you were to include the portion of your IIS logs
which contain dr.exe.
Seeing how the commands are passed to dr.exe should give us a clue as
to whether dr.exe is simply cmd.exe renamed, or whether it is some
other customized command interpreter.
(When including the log portion, you may want to replace the IP
address of your server, and the IP of the attacker... other people do
when they upload logs to these lists.)
BRYAN
- -----Original Message-----
From: Lee Evans [mailto:lee@vital.co.uk]
Sent: Wednesday, July 25, 2001 5:35 AM
To: incidents@securityfocus.com
Subject: IIS Directory traversal vulnerability
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Any advice would be much appreciated - a couple of our boxes seem to
have
been exploited using a directory traversal vulnerabiltiy, by
uploading a file
called "dr.exe", and then passing this commands to remove files from
the box.
I have recovered our logfiles and the data fortunately, and I am
still
examining the log's.
Is this dr.exe thing a known attack, (I can't seem to find anything
about
it).?
The attacked boxes did have all the latest patches applied to them,
and I
double checked this during the code red crisis, and applied any that
were
missing.
Any information would be much appreciated.
Regards
Lee
- - --
Lee Evans
Vital Online Ltd
This message is intended only for the use of the person(s) ("The
intended recipient(s)") to whom it is addressed. It may contain
information which is privileged and confidential within the
meaning of applicable law. If you are not the intended recipient,
please contact the sender as soon as possible. The views expressed
in this communication may not necessarily be the views held by Vital
Online
Ltd.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7XpKrhtUFQXeFbZYRAh0mAKCTpYRfp5m/MBHHc/tvYYdxMqf9qQCeNpru
+QqVQuyw/IhvuMQfwnP7lhc=
=Zel8
- -----END PGP SIGNATURE-----
- ----------------------------------------------------------------------
- ------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBO18pz4QImHalSbbtEQKuLwCbBv9DlpPedtht2AtoSJJksEaZkcwAoMLs
9F7COPAV+6zE2kgLuZA48lGt
=V6Fh
-----END PGP SIGNATURE-----
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Reverend Lola: "Re: IIS Directory traversal vulnerability"
- In reply to: Lee Evans: "IIS Directory traversal vulnerability"
- Next in thread: Lee Evans: "Re: IIS Directory traversal vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
